Europe has SPF. It doesn't have enforcement.

HostingBrain analyst brief · July 2026 · data snapshot 2026-07-05 · aggregate-level, no named providers

Email security surveys love one number: SPF adoption. By that number, Europe looks done — of the 14.8 million mail-carrying, confirmed-active business domains we observe, 81.8% publish an SPF record. Compliance checklists get ticked. Deliverability consultants move on.

But an SPF record is a sentence, and the sentence has an ending. It either ends in -all"reject mail that fails" — or in ~all"flag it, deliver it anyway, someone else's problem." Measured on live DNS, only 29.3% of Europe's mail-carrying domains publish the reject ending. 47.4% publish soft-fail: the spoofed mail still arrives, wearing a warning label most mail clients never show.

Adoption is a solved problem. Enforcement is not. Half of Europe's business mailboxes are protected by a policy that asks spoofed mail to feel bad about itself.

The league table inverts when you measure enforcement

Per market, the two numbers tell opposite stories. Italy is an adoption champion — 89.2% of mail-carrying domains publish SPF — but only 1 in 4 of those publishers enforce. Sweden publishes least (65.5%) but its publishers enforce at the highest rate on the continent: 3 in 5. Poland is the only market strong on both axes.

% of mail-carrying business domains: SPF published (light) vs reject-on-fail enforced (solid) Poland94.4 / 53.8 Switzerland89.4 / 39.2 Austria84.5 / 41.4 Sweden65.5 / 39.3 Denmark62.7 / 35.8 UK80.9 / 30.6 France87.6 / 30.1 Netherlands86.5 / 29.7 Norway76.7 / 28.1 Spain91.5 / 25.5 Italy89.2 / 22.0 Germany77.8 / 21.5 Europe81.8 / 29.3 solid = SPF ending in -all (reject) · light = any SPF record Source: HostingBrain · hostingbrain.ai · as of 2026-07-05

Why the gap exists — and why it persists

Soft-fail is the safe default of the entire onboarding chain. Hosting panels generate ~all so a customer's newsletter never bounces during setup. Consultants recommend ~all "for the transition" — and the transition never ends, because nothing breaks. That is exactly the problem: a policy that never breaks anything also never blocks anything.

The countries that enforce are instructive. Poland's 53.8% and Sweden's publisher-enforcement rate (~60% of those who publish) don't come from stricter businesses — they come from national provider defaults and registrar practice. Email enforcement is an infrastructure-supply property before it is a customer-demand property. Which is also the commercial point: the operator who flips their default moves their whole book up this chart.

Why this costs money now — not someday

The receivers already flipped the switch. Since 2024, Google and Yahoo reject or junk bulk mail that fails authentication — the era of "flag it and deliver anyway" is ending on the receiving side regardless of what senders publish. A hosting book full of soft-fail customers is a book whose newsletters and invoices are drifting toward spam folders: deliverability incidents, support tickets, and churn that lands on the operator's P&L, not the customer's security budget.

Spoofing is the loss line, not the hypothetical. Business email compromise — the fraud that weak enforcement invites — is consistently among the largest cyber-loss categories insurers pay out. A domain publishing ~all is a domain any attacker can impersonate with mail that most receivers still deliver. For insurers and lenders, the enforcement share of a book is an underwritable, portfolio-level risk number; adoption percentages are not (everyone's is ~80%).

For hosting operators, this is a rare differentiator that isn't price. Enforcement is an infrastructure-supply property — the operator who ships reject-on-fail defaults plus DMARC setup and authentication monitoring moves the whole book up this chart, cuts their own deliverability support load, and sells protection into a base that increasingly has to buy it anyway. We benchmark posture per operator book, so the gap to peers is a number, not a pitch.

Method & honesty. Measured on mail-carrying, confirmed-active business domains (operating MX; parking and monetization MX excluded; dead pages excluded) — 14.8M in Europe, 29.3M globally (global: 80.2% SPF, 24.1% hard-fail; Europe is ahead of the world on enforcement). "Enforcement" = SPF policy ending -all; soft-fail ~all = 47.4% of Europe's mail-carrying domains. What this brief does NOT measure: DMARC. Our scanner currently reads apex TXT only, so genuine DMARC adoption (_dmarc.<domain>) is not yet collected — we found 52,615 European domains with DMARC records misplaced at the apex (a misconfiguration tally, not adoption), and we deliberately do not infer DMARC coverage from it. DMARC measurement is queued; this brief will be updated when it lands. Domain-level, aggregate-only; per-operator posture lives in the product.

Reproduce this — or ask it yourself

Every figure here is queryable through the HostingBrain connector. In Claude or any MCP-compatible assistant, this is the whole brief in one prompt:

Prompt · paste into an MCP client with HostingBrain connected

“Using HostingBrain, compare SPF adoption versus SPF hard-fail enforcement across European markets — Europe overall, then Poland, Italy, Sweden and Germany. Which markets publish but don't enforce?”

Resolves to email_security (free). See definitions('spf_posture').

Reproduce this analysis: the email_security tool returns adoption, hard-fail and soft-fail shares for every market above — free tier. Per-operator posture: email_security(operator=...) (Pro).

Ask the follow-up yourself. HostingBrain answers questions like this — with the date, denominator and caveats attached — inside Claude and any MCP-compatible assistant.

Get free access